Create a YAML file defining the custom constraint with fields: `name: organizations/<ORG_ID>/customConstraints/custom.restrictMachineType`, `resourceTypes: [compute.googleapis.com/Instance]`, `methodTypes: [CREATE, UPDATE]`, `condition: <CEL expression>`, `actionType: DENY`.
Write a CEL condition such as `resource.machineType.contains('n1-standard') || resource.machineType.contains('e2-medium')` to deny non-compliant machine types.
Deploy the custom constraint: `gcloud org-policies set-custom-constraint constraint.yaml`.
Create an organization policy that references the constraint: `gcloud org-policies set-policy policy.yaml` where the policy YAML specifies `spec.rules[].enforce: true` and the constraint name.
Test by attempting to create a VM with a disallowed machine type; the operation should return a `CONSTRAINT_VIOLATED` error.
Propagation of new organization policies can take up to 15 minutes; allow time before running compliance tests.
Known gotchas
Custom constraint names must match the regex `custom\.[a-zA-Z0-9]+` and cannot exceed 70 characters after the `custom.` prefix; hyphens are not allowed.
Custom constraints are only available for resource types that expose a REST API that GCP Organization Policy can intercept; not all GCP services support custom constraints — check the supported resource type list.
Unlike built-in constraints, custom constraints must be set at the organization level before they can be referenced in policies at folder or project level.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp